Method for protecting an electronic system with modular exponentiation-based cryptography against attacks by physical analysis

ABSTRACT

The invention concerns a method for protecting an electronic system implementing a cryptographic calculation process involving a modular exponentiation of a quantity (x), said modular exponentiation using a secret exponent (d), characterized in that said secret exponent is broken down into a plurality of k unpredictable values (d 1 , d 2 , . . . , d k ), the sum of which is equal to said secret exponent.

FIELD OF THE INVENTION

The present invention relates to a method for protecting an electronicsystem implementing an algorithm involving a modular exponentiation, inwhich the exponent is secret. More precisely, the purpose of the methodis to create a version of such an algorithm that is not vulnerable to acertain type of physical attack—called Differential Power Analysis orHigh-Order Differential Power Analysis, (abbreviated DPA orHO-DPA)—which tries to obtain information on the secret key from a studyof the electric power consumption of the electronic system during theexecution of the calculation.

BACKGROUND OF THE INVENTION

The cryptographic algorithms considered herein use a secret key tocalculate a piece of output information based on a piece of inputinformation; this can involve an encryption, decryption, signature,signature verification, authentication, non-repudiation or key-exchangeoperation. They are constructed in such a way that a hacker, knowing theinputs and the outputs, cannot in practice deduce any information on thesecret key itself.

We are therefore interested in a class larger than that traditionallydesignated by the expression secret key algorithms or symmetricalalgorithms. In particular, everything described in the present patentapplication also applies to so-called public key or asymmetricalalgorithms, which actually include two keys: one public, the otherprivate and not divulged, the latter being the one targeted by theattacks described below.

Attacks of the Power Analysis type, developed by Paul Kocher andCryptographic Research (see the document Introduction to DifferentialPower Analysis and Related Attacks by Paul Kocher, Joshua Jaffe, andBenjamin Jun, Cryptography Research, 870 Market St., Suite 1008, SanFrancisco, Calif. 94102; HTML edition of the document available at theURL address: http://www.cryptography.com/dpa/technical/index.html) startwith the observation that in reality the hacker can acquire informationother than simply the input and output data during the execution of thecalculation, such as for example the power consumption of themicrocontroller or the electromagnetic radiation emitted by the circuit.

Differential power analysis is an attack that makes it possible toobtain information on the secret key contained in the electronic system,by performing a statistical analysis of the power consumption records,performed on a large number of calculations with this same key.

This attack does not require any knowledge of the individual powerconsumption of each instruction, or on the temporal position of each ofthese instructions. It applies in the same way assuming that the hackerknows some of the outputs of the algorithm and the correspondingconsumption curves. It is based solely on the fundamental hypothesisaccording to which:

Fundamental hypothesis: There is an intermediate variable appearingduring the calculation of the algorithm, such that the knowledge of afew key bits, in practice less than 32 bits, makes it possible to decidewhether or not two inputs, respectively two outputs, give the same valuefor this variable.

The so-called high-order power analysis attacks are a generalization ofthe DPA attack described above. They can use several different sourcesof information: in addition to the consumption, they can usemeasurements of electromagnetic radiation, temperature, etc., performingstatistical operations that are more sophisticated than the simplenotion of an average, and intermediate variables that are lesselementary than a simple bit or a simple byte. Nevertheless, they arebased on exactly the same fundamental hypothesis as DPA.

The object of the method that is the subject of the present invention isto eliminate the risk of DPA or HO-DPA attacks on electronic systemswith secret or private key cryptography involving modular exponentiationin which the exponent is secret.

Another object of the present invention is consequently to modify thecryptographic calculation process implemented by protected electroniccryptographic systems, in such a way that the aforementioned fundamentalhypothesis is not longer verified, i.e. that there is no intermediatevariable that depends on the consumption of a sub-system easilyaccessible by the secret or private key, attacks of the DPA or HO-DPAthus being rendered ineffective.

First example: the RSA algorithm

RSA is the most famous of the asymmetrical cryptographic algorithms. Itwas developed by Rivest, Shamir and Adleman in 1978. For a more detaileddescription of this algorithm, it may be useful to refer to thefollowing document:

-   -   R. L. Rivest, A. Shamir, L. M. Adleman, A Method for Obtaining        Digital Signatures and Public-Key Cryptosystems, Communications        of the ACM, 21, No. 2, 1978, pp. 120–126, or to the following        documents:    -   ISO/IEC 9594-8/ITU-T X.509, Information Technology—Open systems        Interconnection—The Directory: Authentication Framework;    -   ANSI X9.31.1, American National Standard, Public-Key        Cryptography Using Reversible Algorithms for the Financial        Services Industry, 1993;    -   PKCS #1, RSA Encryption Standard, version 2, 1998, available at        the following address:        ftp://ftp.rsa.com/pub/pkcs/doc/pkcs-1v2.doc.

The RSA algorithm uses a whole number n that is the product of two largeprime numbers p and q, and a whole number e, prime with ppcm(p−1, q−1),and such that e·±1 mod ppcmp−1, q−1). The whole numbers n and econstitute the public key. The public key calculation uses the functiong of Z/nz in Z/nz defined by g(x)=x^(e) mod n. The secret keycalculation uses the function g⁻¹(y)=y^(d) mod n, where d is the secretexponent (also called the secret or private key) defined by ed·1 modppcm(p−1, q-1).

Attacks of the DPA or HO-DPA type can pose a threat to the standardimplementations of the RSA algorithm. In essence, the latter very oftenuse the so called square and multiply principle to perform thecalculation of x^(d) mod n.

This principle consists of writing the breakdownd=b_(m−)·2^(m−1)+b_(m−2)·2^(m) ⁻²+ . . . +b₁·2¹+b₀2·⁰of the secret exponent d in base 2, the performing the calculation inthe following way:

-   -   1. z·1;    -   for i running from m-1 to 0 perform:    -   2. z·z² mod n;    -   3. if b_(l)=1 then z·z×x mod n.

In this calculation, it is clear that among the successive valuesassumed by the variable z, the prime numbers depend on only a few bitsof the secret key d. The fundamental hypothesis that makes the DPAattack possible is therefore fulfilled. It is thus possible to guess,for example, the 10 high-order bits of d by concentrating on theconsumption measurements in the part of the algorithm that correspondsto i running from m−1 to m−10, which makes it possible to find the nextten bits of d, and so on. Eventually, all the bits of the secretexponent d are found.

A First Protection Method, and its Disadvantages

A conventional method (proposed by Ronald Rivest in 1995) for protectingthe RSA algorithm against DPA type attacks consists of using a“blinding” principle. This uses the fact that:x ^(d) mod n=(x×r ^(e))^(d) ×r ⁻¹ mod n

Thus, the calculation of y=x^(d) mod n is broken down into four steps:

-   -   A random generator is used to obtain a value r;    -   We calculate: u=x×r^(e) mod n;    -   We calculate: v=u^(d) mod n;    -   We calculate: y=v×r⁻¹ mod n.

The disadvantage of this method is that it makes it necessary, for eachcalculation, to calculate the modular inverse r⁻¹ of the random value r,this operation generally being time-consuming (the duration of such acalculation is on the same order as that of a modular exponentiationsuch as u^(d) mod n). Consequently, this new implementation (protectedagainst DPA attacks) of the calculation of x^(d) mod n takes about twiceas long as the initial implementation (not protected against DPAattacks). In other words, this protection of RSA against DPA attacksincreases the calculation time by approximately 100% (assuming that thepublic exponent e is very small, for example e=3; if the exponent e islarger, this calculation time is even longer).

A Second Method: The Method of the Present Invention

According to the invention, a method for protecting an electronic systemimplementing a cryptographic calculation process involving a modularexponentiation of a quantity (x), said modular exponentiation using asecret exponent (d), is characterized in that said secret exponent isbroken down into a plurality of k unpredictable values (d₁, d₂, . . . ,d_(k)), the sum of which is equal to said secret exponent.

Advantageously, said values (d₁, d₂, . . . , d_(k)), are obtained in thefollowing way:

-   -   a) (k−1) values are obtained by means of a random generator;    -   b) the final value is obtained from the difference between the        secret exponent and the (k−1) values.

Advantageously, the calculation of the modular exponentiation isperformed in the following way:

-   -   a) for each of said k values, the quantity (x) is raised by an        exponent comprising said value in order to obtain a result, a        set of results thus being obtained;    -   b) a product of the results obtained in step a) is calculated.

Advantageously, at least one of said (k−1) values obtained by means of arandom generator has a length greater than or equal to 64 bits.

Some of the details and advantages of the present invention will emergefrom the following description of some preferred but non-limitingembodiments, in reference to the sole attached figure, which representsa smart card.

According to the invention, we use the fact that:

if d=d₁+d₂, then x^(d) mod n=x^(d) ¹ ×x^(d) ² mod n

Thus, the calculation of y=x mod n is broken down into five steps:

-   -   A random generator is used to obtain a value d₁;    -   We calculate: d₂=d−d₁;    -   We calculate: u=x^(d) ¹ mod n;    -   We calculate: v=x^(d) ² mod n;    -   We calculate: y=u×v mod n.

The advantage is that, this way, there is no modular inverse tocalculate. In general, the calculation time of a modular exponentiationis proportional to the size of the exponent. Thus, if we let · be theratio between the size of d₁ and the size of d₂, it is clear that thetotal calculation time in this new implementation (protected against DPAattacks) is about (1+· ) times the calculation time in the initialimplementation (not protected against DPA attacks).

Note that, in order to obtain an unpredictable value d₁, it necessaryfor its size to be at least 64 bits.

The method thus described renders attacks of the DPA or HO-DPA typedescribed above ineffective. In essence, in deciding whether or not twoinputs (respectively two outputs) of the algorithm give the same valuefor an intermediate variable appearing during the calculation, it is nolonger enough to know the key bits involved. It is also necessary toknow the breakdown of the secret key d into k values d₁, d₂, . . . ,d_(k) such that d=d₁+d₂+ . . . +d_(k). Assuming that this breakdown issecret, and that at least one of the k values has a size of at least 64bits, the hacker cannot predict the values of d₁, . . . , d_(k), andtherefore the fundamental hypothesis that would make it possible toimplement a DPA or HO-DPA type attack, is no longer verified.

EXAMPLES

-   -   1. If n has a length of 512 bits, by choosing to take a random        value d₁ of 64 bits, we obtain ·=1/8, which means that this        protection of RSA against DPA attacks increases the calculation        time by about 12.5%.

2. If n has a length of 1024 bits, by choosing to take a random value d₁of 64 bits, we obtain ·=1/16, which means that this protection of RSAagainst DPA attacks increases the calculation time by about 6.25%.

Second Example: the Rabin Algorithm

We will now consider the asymmetrical cryptographic algorithm developedby Rabin in 1979. For a more detailed description of this algorithm, itmay be useful to refer to the following document:

-   -   M. O. Rabin, Digitized Signatures and Public-Key Functions as        Intractable as Factorization, Technical Report LCS/TR-212,        M.I.T. Laboratory for Computer Science, 1979.

The Rabin algorithm uses a whole number n that is the product of twolarge prime numbers p and q, which also verify the following twoconditions:

-   -   p is congruent with 3 modulo 8;    -   q is congruent with 7 modulo 8.

The public key calculation uses the function g of Z/nZ in Z/nZ definedby g(x)=x² mod n. The secret key calculation uses the functiong⁻¹(y)=y^(d) mod n, where d is the secret exponent (also called thesecret or private key) defined by d=((p−1)(q−1)/4+1)/2.

The function implemented by the secret key calculation being exactly thesame as that used by the RSA algorithm, the same DPA or HO-DPA attacksare applicable and can pose the same threats to the Rabin algorithm.

Protecting the Algorithm

Since the function is exactly the same as the one in RSA, the protectionmethod described in the RSA context is applied in the same way in thecase of the Rabin algorithm. The increase in the calculation time causedby the application of this method is also the same as in the case of theRSA algorithm.

BRIEF DESCRIPTION OF THE DRAWING

FIG. 1 is a representation of a smart card.

The invention can be implemented in any electronic system performing acryptographic calculation involving a modular exponentiation, includinga smart card 8 as shown in FIG. 1. The chip includes informationprocessing means 9, connected on one end to a nonvolatile memory 10 anda volatile working memory RAM 11, and connected on another end to means12 for cooperating with an information processing device. Thenonvolatile memory 10 can comprise a non-modifiable ROM part and amodifiable part constituted by an EPROM, an EEPROM or a RAM of the“flash” type, or FRAM, (the latter being a ferromagnetic RAM)), i.e.,having the characteristics of an EEPROM but with access times identicalto those of a standard RAM.

For the chip, it is possible to use, in particular, a self-programmablemicroprocessor with a nonvolatile memory, as described in U.S. Pat. No.4,382,279 assigned to the assignee of the present invention. In avariant, the microprocessor of the chip is replaced, or at leastsupplemented, by logical circuits installed in a semiconductor chip. Inessence, such circuits are capable of performing calculations, includingauthentication and signature calculations, as a result of hard-wired,rather than microprogrammed, electronics. In particular, they can be ofthe ASIC (“Application Specific Integrated Circuit”) type.Advantageously, the chip is designed in monolithic form.

In the case of the utilization of such an electronic system, theinvention consists in a method for protecting an electronic systemcomprising information processing means and information storage means,the method implementing a cryptographic calculation process involving amodular exponentiation of a quantity (x) stored in the informationstorage means, said modular exponentiation using a secret exponent (d)stored in the storage means, characterized in that, by means of saidinformation processing means, said secret exponent read in saidinformation storage means is broken down into a plurality of kunpredictable values (d₁, d₂, . . . , d_(k)), the sum of which is equalto said secret exponent, said k unpredictable values being stored in theinformation storage means.

Advantageously, said values (d₁, d₂, . . . , dk) are obtained in thefollowing way:

-   -   a) (k−1) values are obtained by means of a random generator and        stored in the information storage means;    -   b) the final value is obtained from the difference between the        secret exponent and the (k−1) values, calculated by means of        said information processing means.

Advantageously, the calculation of the modular exponentiation isperformed in the following way:

-   -   a) for each of said k values, the quantity (x) is raised by an        exponent comprising said value in order to obtain a result, a        set of results thus being obtained;    -   b) a product of the results obtained in step a) is calculated.

Advantageously, at least one of said (k−1) values obtained by means of arandom generator has a length greater than or equal to 64 bits.

While this invention has been described in conjunction with specificembodiments thereof, it is evident that many alternatives, modificationsand variations will be apparent to those skilled in the art.Accordingly, the preferred embodiments of the invention as set forthherein, are intended to be illustrative, not limiting. Various changesmay be made without departing from the true spirit and full scope of theinvention as set forth herein and defined in the claims.

1. A method adapted to protect a smart card implementing a cryptographicprocess involving calculation of a modular exponentiation of a quantity(x), said modular exponentiation using a secret exponent (d), comprisingbreaking down said secret exponent (d) into unpredictable values (d1,d2, . . . , dk), wherein k is reater than 2, and at least one of said(k−1) values has a length at least equal to 64 bits, the sum of which isequal to said secret exponent (d) including: deriving (k−1)unpredictable values (d1, d2, . . . , dk-1), using a random generator;obtaining a final unpredictable value (dk) from the difference betweenthe secret exponent (d) and the (k−1) unpredictable values (d1, d2, . .. , dk-1), creating k intermediate results by performing modularexponentiation on the quantity (x) using the k unpredictable values (d1,d2, . . . , dk−1, dk); and calculating a final results based on the kintermediate results, equal to the modular exponentiation of thequantity (x) using the secret exponent (d).
 2. Utilizing the methodaccording to claim 1 in the smart card comprising information processingmeans.
 3. Utilizing the method according to claim 1 for: protecting acryptographic calculation process using the RSA algorithm.
 4. Utilizingthe method according to claim 1 for protecting a cryptographiccalculation process using the Rabin algorithm.
 5. A method adapted toprotect a smart card implementing a cryptographic process involvingcalculation of a modular exponentiation of a quantity (x), said modularexponentiation using a secret exponent (d), comprising: breaking downsaid secret exponent (d) into a plurality of k unpredictable values (d1,d2, . . . , dk), the sum of which is equal to said secret exponent;obtaining said unpredictable value (d1, d2, . . . , dk) by deriving(k−1) values by means of a random generator, wherein k is greater than2, and at least one of said (k−1) values has a length at least equal to64 bits, by raising the quantity (x) by an exponent comprising a finalvalue and obtaining a set of results for each of said k values andcalculating a product of the set of results and taking the differencebetween the secret exponent and the (k−1) values to derive the finalvalue.
 6. A smart card adapted to protect an electronic systemcomprising: means for a implementing a cryptographic process involvingcalculation of a modular exponentiation of a quantity (x), said modularexponentiation using a secret exponent (d), comprising: means forbreaking down said secret exponent (d) into a plurality of kunpredictable values (d1, d2, . . . , dk), the sum of which is equal tosaid secret exponent, means for obtaining said unpredictable value (d1,d2, . . . , dk) by a random generator for deriving (k−1) values, whereink is greater than 2, and at least one of said (k−1) values has a lengthat least equal to 64 bits, and means for taking the difference betweenthe secret exponent and the (k−1) values to derive the final value.
 7. Asmart card according to claim 6, wherein calculation of the modularexponentiation is performed by: a) raising the quantity (x) by anexponent comprising said value to obtain a set of results for each ofsaid k values and b) calculating a product of the results obtained.